\def\lximg{/usr/share/lx/icons/fueller.png}

\newcommand{\superscript}[1]{\ensuremath{^{\textrm{#1}}}}
\newcommand{\subscript}[1]{\ensuremath{_{\textrm{#1}}}}

\input{configpres}

\subsection{Public Key Infrastructure}

\title{Public Key Infrastructure}
\maketitle

\def\lximg{none}

\begin{frame}
\frametitle{Contents}
\tableofcontents
\end{frame}

% ----------------------------
\subsubsection{Fundamentals}

\begin{frame}[fragile]
\frametitle{Overview}
\begin{figure}[h]
\centering
\includegraphics[scale=0.6]{images/pki-overview.png}
\end{figure}
\end{frame}

% ----------------------------
\begin{frame}
\frametitle{Roles}
\begin{itemize}
\item Certificate Authority
\begin{itemize}
\item Issue CA-Certificate (CA Public Key)
\item Sign Public Keys (with CA Private Key)
\end{itemize}
\item Validation Authority
\begin{itemize}
\item Provide signed Certificates
\item Unique relation between Client and Certificate
\end{itemize}
\item Registration Authority
\begin{itemize}
\item Process Certificate Signing Requests
\item Ensure Clients Identity
\end{itemize}
\end{itemize}
\end{frame}

% ----------------------------
\begin{frame}
\frametitle{Elements (1)}
\begin{itemize}
\item Key Pair
\begin{itemize}
\item Public and Private Key
\end{itemize}
\item Signature (of Payload)
\begin{itemize}
\item Payload-Hash, encrypted with the Private Key of the Signee
\end{itemize}
\item Certificate Sign Request
\begin{itemize}
\item Public Key of the Requester
\item Meta-Information about the Requester
\item Signature from the Requester (self-signed)
\end{itemize}
\end{itemize}
\end{frame}

% ----------------------------
\begin{frame}
\frametitle{Elements (2)}
\begin{itemize}
\item Certificate (of Owner)
\begin{itemize}
\item Public Key of the Owner
\item Verified Meta-Information about the Owner
\item Signature from the Owner (self-signed)
\item Signatures of others (e.g. the CA)
\end{itemize}
\item Certificate Revocation List
\begin{itemize}
\item Revoked Certificates
\end{itemize}
\item Directory Server
\begin{itemize}
\item Certification Directory
\item e.g. LDAP- or X.500-Server
\end{itemize}
\end{itemize}
\end{frame}

% ----------------------------
\subsubsection{Workflows}

\begin{frame}
\frametitle{Create CA-Certificate}
\begin{itemize}
\item Create Key-Pair
\item Self-Sign Public Key
\item opt: generate Certificate Signing Request for Root CA
\item Send CA-Certificate to Directory Server and/or Validation Authority
\end{itemize}
\end{frame}

% ----------------------------
\begin{frame}
\frametitle{Process Client Certificate}
\begin{itemize}
\item Requester
\begin{itemize}
\item Create Key-Pair
\item Create Certificate Signing Request (Meta-Info)
\item Send it to the RA
\end{itemize}
\item Registration Authority
\begin{itemize}
\item Validate Signature in CSR
\item Validate Meta-Information of Requester
\item Forward CSR to the CA
\end{itemize}
\item Certificate Authority
\begin{itemize}
\item Validate Signature in CSR
\item Sign CSR
\item Send Certificate to Requester and Directory Server
\end{itemize}
\end{itemize}
\end{frame}

% ----------------------------
\begin{frame}
\frametitle{Working with Client Certificate}
\begin{itemize}
\item Client
\begin{itemize}
\item Send signed Request to Server
\end{itemize}
\item Server
\begin{itemize}
\item Send Signature Validation Request to VA
\end{itemize}
\item Validation Authority
\begin{itemize}
\item Retrieve Clients Certificate in Directory Server
\item Check Certificate Revocation List
\item Validate Clients Certificate with CA-Certificate
\item Validate Signature with Clients Certificate
\end{itemize}
\end{itemize}
\end{frame}

% ----------------------------
\subsubsection{Trust}

\begin{frame}
\frametitle{Trust Models}
\begin{itemize}
\item Strict Hierarchy
\begin{itemize}
\item No Signing between Levels
\item Simple and efficient
\item Compromising Root affects whole Tree
\end{itemize}
\item Cross-Signing
\begin{itemize}
\item Certificates signed by multiple CAs
\item More than one Root must be compromised to affect the Tree
\end{itemize}
\item Web of Trust
\begin{itemize}
\item High Security
\item Individual Trust
\item High Maintenance Effort
\end{itemize}
\end{itemize}
\end{frame}

% ----------------------------
\subsubsection{Tools}

\begin{frame}
\frametitle{Tools}
Commandline
\begin{itemize}
\item OpenSSL
\item easy-rsa
\end{itemize}
GUI/Web
\begin{itemize}
\item OpenCA
\item XCA (UI for Linux, Mac and Windows)
\end{itemize}
\end{frame}

% ----------------------------
\subsubsection{Related Links}

\begin{frame}
Starting point on Wikipedia
\begin{itemize}
\item \url{https://en.wikipedia.org/wiki/Public\_key\_infrastructure}
\end{itemize}
Tools
\begin{itemize}
\item \url{http://www.openssl.org/}
\item \url{http://openvpn.net/easyrsa.html}
\item \url{http://www.openca.org/}
\item \url{http://xca.sourceforge.net/}
\end{itemize}
\end{frame}

\subsection{}
\input{tailpres}